chore: add Dependabot security-only update config#1
Conversation
Add Dependabot configuration for cargo and github-actions ecosystems with weekly schedule. Include automerge workflow for patch/minor updates and dependency-audit workflow for vulnerability scanning. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Adds Dependabot configuration and GitHub Actions workflows to improve dependency security automation (scheduled updates, automated merging of safe Dependabot PRs, and CI vulnerability auditing).
Changes:
- Added
.github/dependabot.ymlto configure Dependabot updates for Cargo and GitHub Actions. - Added a
dependency-auditworkflow to detect ecosystems and run relevant vulnerability scanners (includingcargo audit). - Added a
dependabot-automergeworkflow to auto-approve and squash-merge eligible Dependabot PRs.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.
| File | Description |
|---|---|
.github/dependabot.yml |
Configures Dependabot update schedules/limits and labels for Cargo + GitHub Actions. |
.github/workflows/dependency-audit.yml |
Adds CI workflow that detects ecosystems and runs vulnerability audit tools. |
.github/workflows/dependabot-automerge.yml |
Adds workflow to auto-approve and merge Dependabot PRs based on update type. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| contents: read | ||
|
|
||
| jobs: | ||
| detect: |
There was a problem hiding this comment.
This workflow uses ubuntu-latest for all jobs, but the repository’s other workflows pin runners (e.g., ubuntu-24.04 in .github/workflows/ci.yml and release.yml). Using ubuntu-latest can introduce sudden environment changes; consider pinning to the same runner version for consistency and stability.
| while IFS= read -r dir; do | ||
| echo "::group::govulncheck $dir" | ||
| if ! (cd "$dir" && govulncheck ./...); then | ||
| status=1 | ||
| fi |
There was a problem hiding this comment.
cargo install cargo-audit without version pinning (and without --locked) is non-deterministic and can break the workflow when a new cargo-audit release lands. Consider pinning a known-good version and/or using --locked (and optionally caching) to make the audit job more reliable and faster.
| schedule: | ||
| interval: "weekly" | ||
| open-pull-requests-limit: 0 | ||
| labels: | ||
| - "security" |
There was a problem hiding this comment.
The PR description says Cargo updates should be security-only (open-pull-requests-limit 0), but this entry is configured to allow up to 10 version-update PRs. If the intent is security-only for Cargo, set open-pull-requests-limit to 0 so Dependabot doesn’t open routine version bump PRs.
| run: | | ||
| status=0 | ||
| while IFS= read -r dir; do | ||
| echo "::group::govulncheck $dir" | ||
| if ! (cd "$dir" && govulncheck ./...); then |
There was a problem hiding this comment.
The Cargo audit job uses cargo install/cargo audit but never installs a Rust toolchain. This repo’s CI installs Rust explicitly; without a toolchain, these steps can fail (or run with an unexpected version). Add a Rust toolchain setup step before running cargo commands.
| echo "npm=false" >> "$GITHUB_OUTPUT" | ||
| fi | ||
|
|
||
| # Go modules — detect via go.mod (not go.sum, which may not exist) | ||
| if find . -name 'go.mod' -not -path '*/vendor/*' | grep -q .; then |
There was a problem hiding this comment.
Go ecosystem detection is based on finding go.sum, but the audit step enumerates go.mod files. Repos can have go.mod without a committed go.sum, in which case this workflow would skip Go auditing. Detect using go.mod (or both) to match the audit logic.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Summary
.github/dependabot.ymlwith cargo (security-only, limit 0) and github-actions (version updates, limit 10) ecosystemsdependabot-automerge.ymlworkflow for auto-approving and squash-merging patch/minor Dependabot PRsdependency-audit.ymlCI workflow that runscargo auditon every PR and push to mainAligns with org-wide Dependabot security-only standards (petry-projects/.github#9).
Test plan
dependabot.ymlis valid YAML and accepted by GitHubdependency-audit.ymldetects Cargo ecosystem and runscargo auditdependabot-automerge.ymlworkflow syntax is valid🤖 Generated with Claude Code